commit e1578a50fba557ee2a8511aa75441f2098b941c5
author Shikha Panwar <shikhapanwar@google.com> Wed Nov 30 11:22:10 2022 +0000
committer Shikha Panwar <shikhapanwar@google.com> Thu Dec 01 14:59:06 2022 +0000
tree 1e5c3733352a15d53a6f95c2d6e19fb098e40084
parent ddc29b8d796a8a7bbb497b2128440916e747a75f

Sepolicy for microdroid_manager.init_done

Add a new selinux context: microdroid_lifecycle_prop for properties like
microdroid_manager.init_done. Also adding neverallow rule to not let
anyone other than init & microdroid_manager set it.

Bug: 260713790
Test: Builds
Change-Id: I81470ce596cfe5870b6777b6ae6fde3a0dc486d1

microdroid/system/private/microdroid_manager.te

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 4c19cfe..baf8366 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -85,6 +85,9 @@
 # Allow microdroid_manager to set sysprops calculated from the payload config
 set_prop(microdroid_manager, microdroid_config_prop)
 
+# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
+set_prop(microdroid_manager, microdroid_lifecycle_prop)
+
 # Allow microdroid_manager to shutdown the device when verification fails
 set_prop(microdroid_manager, powerctl_prop)
 

microdroid/system/private/property.te

diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 733bb33..d983775 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -45,10 +45,10 @@
     domain
     -init
     -microdroid_manager
-} microdroid_config_prop:property_service set;
+} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
 
 neverallow {
     domain
     -init
     -microdroid_manager
-} microdroid_config_prop:file no_rw_file_perms;
+} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;

microdroid/system/private/property_contexts

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index ad8a064..5022677 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -124,6 +124,8 @@
 microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
 microdroid_manager.config_done u:object_r:microdroid_config_prop:s0 exact bool
 
+microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+
 dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.dev.root   u:object_r:dev_mnt_prop:s0 exact string

microdroid/system/public/property.te

diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index fdb8cc5..a2c3b77 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -41,6 +41,7 @@
 type microdroid_manager_roothash_prop, property_type;
 type microdroid_manager_zipfuse_prop, property_type;
 type microdroid_config_prop, property_type;
+type microdroid_lifecycle_prop, property_type;
 type property_service_version_prop, property_type;
 type shell_prop, property_type;
 type timezone_prop, property_type;